From owner-svn-ports-all@FreeBSD.ORG  Fri May 31 21:41:57 2013
Return-Path: <owner-svn-ports-all@FreeBSD.ORG>
Delivered-To: svn-ports-all@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 90E23151;
 Fri, 31 May 2013 21:41:57 +0000 (UTC) (envelope-from lev@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 by mx1.freebsd.org (Postfix) with ESMTP id 802FDE2C;
 Fri, 31 May 2013 21:41:57 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r4VLfv5q077677;
 Fri, 31 May 2013 21:41:57 GMT (envelope-from lev@svn.freebsd.org)
Received: (from lev@localhost)
 by svn.freebsd.org (8.14.6/8.14.5/Submit) id r4VLfuxN077671;
 Fri, 31 May 2013 21:41:56 GMT (envelope-from lev@svn.freebsd.org)
Message-Id: <201305312141.r4VLfuxN077671@svn.freebsd.org>
From: "Lev A. Serebryakov" <lev@FreeBSD.org>
Date: Fri, 31 May 2013 21:41:56 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r319544 - in head: devel/subversion devel/subversion16
 security/vuxml
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2013 21:41:57 -0000

Author: lev
Date: Fri May 31 21:41:55 2013
New Revision: 319544
URL: http://svnweb.freebsd.org/changeset/ports/319544

Log:
    Update subversion ports to 1.7.10 and 1.6.23.
    It fixes 3 security issues:
  
      CVE-2013-1968: fsfs repository corruption caused by newline characters in filenames
      CVE-2013-2088: contrib hook-scripts can allow arbitrary code execution
      CVE-2013-2112: svnserve remotely triggerable DoS.
  
  Security:	CVE-2013-1968
  Security:	CVE-2013-2088
  Security:	CVE-2013-2112

Modified:
  head/devel/subversion/Makefile.common
  head/devel/subversion/distinfo
  head/devel/subversion16/Makefile.inc
  head/devel/subversion16/distinfo
  head/security/vuxml/vuln.xml

Modified: head/devel/subversion/Makefile.common
==============================================================================
--- head/devel/subversion/Makefile.common	Fri May 31 21:09:20 2013	(r319543)
+++ head/devel/subversion/Makefile.common	Fri May 31 21:41:55 2013	(r319544)
@@ -2,8 +2,8 @@
 # $FreeBSD$
 
 PORTNAME=	subversion
-PORTVERSION=	1.7.9
-PORTREVISION?=	1
+PORTVERSION=	1.7.10
+PORTREVISION?=	0
 CATEGORIES+=	devel
 MASTER_SITES=	${MASTER_SITE_APACHE:S/$/:main/} \
 		${MASTER_SITE_LOCAL:S/$/:book/}

Modified: head/devel/subversion/distinfo
==============================================================================
--- head/devel/subversion/distinfo	Fri May 31 21:09:20 2013	(r319543)
+++ head/devel/subversion/distinfo	Fri May 31 21:41:55 2013	(r319544)
@@ -1,6 +1,2 @@
-SHA256 (subversion17/subversion-1.7.9.tar.bz2) = f8454c585f99afed764232a5048d9b8bfd0a25a9ab8e339ea69fe1204c453ef4
-SIZE (subversion17/subversion-1.7.9.tar.bz2) = 6040347
-SHA256 (subversion17/svn-book-html-r4304.tar.bz2) = a63d958b1ae70daf2ac93a53ece70a0ba0f8f7de7af3f74a665fe44b8f50ca14
-SIZE (subversion17/svn-book-html-r4304.tar.bz2) = 467806
-SHA256 (subversion17/svn-book-r4304.pdf) = 1b2cada79db8268fd6cd55fac4e5ee04c1e2977bbc587fa1098bd3613b9689b2
-SIZE (subversion17/svn-book-r4304.pdf) = 1921443
+SHA256 (subversion17/subversion-1.7.10.tar.bz2) = c1df222bec83d014d17785e2ceba6bc80962f64b280967de0285836d8d77a8e7
+SIZE (subversion17/subversion-1.7.10.tar.bz2) = 5952121

Modified: head/devel/subversion16/Makefile.inc
==============================================================================
--- head/devel/subversion16/Makefile.inc	Fri May 31 21:09:20 2013	(r319543)
+++ head/devel/subversion16/Makefile.inc	Fri May 31 21:41:55 2013	(r319544)
@@ -1,4 +1,4 @@
 # $FreeBSD$
 # this keeps subversion16 and ../svnmerge in sync, see pr 164854
 
-PORTVERSION=	1.6.21
+PORTVERSION=	1.6.23

Modified: head/devel/subversion16/distinfo
==============================================================================
--- head/devel/subversion16/distinfo	Fri May 31 21:09:20 2013	(r319543)
+++ head/devel/subversion16/distinfo	Fri May 31 21:41:55 2013	(r319544)
@@ -1,6 +1,2 @@
-SHA256 (subversion/subversion-1.6.21.tar.bz2) = efece333259a8cc37bc1af7210f2587cccd8dd484700458d324bfe3247875cd6
-SIZE (subversion/subversion-1.6.21.tar.bz2) = 5564522
-SHA256 (subversion/svn-book-html.tar.bz2) = 5c4788e1f225b3186db5979b071fcc4c9543bfb5916cd62e003eea4507b8c8cb
-SIZE (subversion/svn-book-html.tar.bz2) = 406484
-SHA256 (subversion/svn-book.pdf) = 64e483cd27be6752eb8dfc1b00749f8dc46adfc4fb1ab1356dd8e2406d878225
-SIZE (subversion/svn-book.pdf) = 1671317
+SHA256 (subversion/subversion-1.6.23.tar.bz2) = 214abc6b9359ea3a5fda2dee87dad110d1b33dcf888c1f8e361d69fbfa053943
+SIZE (subversion/subversion-1.6.23.tar.bz2) = 5566442

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Fri May 31 21:09:20 2013	(r319543)
+++ head/security/vuxml/vuln.xml	Fri May 31 21:41:55 2013	(r319544)
@@ -51,6 +51,95 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="ce502902-ca39-11e2-9673-001e8c75030d">
+    <topic>devel/subversion -- svnserve remotely triggerable DoS</topic>
+    <affects>
+      <package>
+	<name>subversion</name>
+	<range><ge>1.7.0</ge><lt>1.7.10</lt></range>
+	<range><ge>1.0.0</ge><lt>1.6.23</lt></range>
+       </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Subversion team reports:</p>
+	  <blockquote cite="http://subversion.apache.org/security/CVE-2013-2112-advisory.txt">
+	    <p>Subversion's svnserve server process may exit when an incoming TCP connection
+	      is closed early in the connection process.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-2112</cvename>
+    </references>
+    <dates>
+      <discovery>2013-05-31</discovery>
+      <entry>2013-05-31</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="6d0bf320-ca39-11e2-9673-001e8c75030d">
+    <topic>devel/subversion -- contrib hook-scripts can allow arbitrary code execution</topic>
+    <affects>
+      <package>
+	<name>subversion</name>
+	<range><ge>1.7.0</ge><lt>1.7.10</lt></range>
+	<range><ge>1.2.0</ge><lt>1.6.23</lt></range>
+       </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Subversion team reports:</p>
+	  <blockquote cite="http://subversion.apache.org/security/CVE-2013-2088-advisory.txt">
+	    <p>The script contrib/hook-scripts/check-mime-type.pl does not escape
+	      argv arguments to 'svnlook' that start with a hyphen.  This could be
+	      used to cause 'svnlook', and hence check-mime-type.pl, to error out.</p>
+	    <p>The script contrib/hook-scripts/svn-keyword-check.pl parses filenames
+	      from the output of 'svnlook changed' and passes them to a further
+	      shell command (equivalent to the 'system()' call of the C standard
+	      library) without escaping them.  This could be used to run arbitrary
+	      shell commands in the context of the user whom the pre-commit script
+	      runs as (the user who owns the repository).</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-2088</cvename>
+    </references>
+    <dates>
+      <discovery>2013-05-31</discovery>
+      <entry>2013-05-31</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="787d21b9-ca38-11e2-9673-001e8c75030d">
+    <topic>devel/subversion -- fsfs repositories can be corrupted by newline characters in filenames</topic>
+    <affects>
+      <package>
+	<name>subversion</name>
+	<range><ge>1.7.0</ge><lt>1.7.10</lt></range>
+	<range><ge>1.1.0</ge><lt>1.6.23</lt></range>
+       </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Subversion team reports:</p>
+	  <blockquote cite="http://subversion.apache.org/security/CVE-2013-1968-advisory.txt">
+	    <p>If a filename which contains a newline character (ASCII 0x0a) is
+	      committed to a repository using the FSFS format, the resulting
+	      revision is corrupt.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2013-1968</cvename>
+    </references>
+    <dates>
+      <discovery>2013-05-31</discovery>
+      <entry>2013-05-31</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="0a799a8e-c9d4-11e2-a424-14dae938ec40">
     <topic>irc/bitchx -- multiple vulnerabilities</topic>
     <affects>